search

mintoolkit / mint

minT(oolkit): Mint awesome, secure and production ready containers just the way you need them! Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
https://github.com/mintoolkit/mint
Apache License 2.0
184 stars 10 forks source link

Add nil check for current docker context #68

Closed eharris128 closed 1 month ago

eharris128 commented 1 month ago

What

Why

Initial Bug Reproduction Steps

The panic: image

How Tested

eharris128 commented 1 month ago

Consequence of not performing the other work this PR leaves out:

image

Maybe the onus is on the user?

kcq commented 1 month ago

Consequence of not performing the other work this PR leaves out:

image

Maybe the onus is on the user?

Need to fail more gracefully either way... Don't need any credentials to pull the "busybox@sha256:05..." image. Also not quite sure where the "invalid reference format" API error is coming from.

kcq commented 1 month ago

Consequence of not performing the other work this PR leaves out:

image

Maybe the onus is on the user?

@eharris128 looks like we need a couple of enhancements here... First, the getDockerCredential - failed to acquire local docker config path warning login needs an extra check to see if the error is no docker credentials provider found (there's no error var defined for it in go-dockerclient unfortunately). The no docker credentials provider found is ok because it just means there's no credentials provider for the target registry, which happens all the time. If it's that error than we don't need to log the warning (pkg/crt/docker/dockercrtclient/dockercrtclient.go#L294) and we can do the same thing as if we don't find the auth config.

The image.inspector.Pull warning shows that repo is busybox@sha256 and tag is 05a79..., which explains that invalid reference format API error. The pull logic in the image inspector needs to be enhanced to parse image paths with digests properly. Right now it simply splits on : expecting name:tag, but it needs to check if we have a digest by checking for @ and then split on @ when we have name@algorithm:hashvalue.

eharris128 commented 4 weeks ago

For completeness - ran into the similar config enhancement opportunity with k8s in my testing last night.

image

Podman / containerd I did not test to see their behavior.